Code Reviews and Compliance

Introduction

The Payment Card Industry Data Security Standard (referred to as PCI from now on) became a mandatory compliance step for companies processing credit card payments in June 2005.

Performing code reviews on custom code has been a requirement since the first version of the standard. This section will discuss what needs to be done with regards to code reviews to be compliant with the relevant PCI requirements.

Code Review Requirements

The PCI standard contains several points relating to secure application development but we will focus solely on the points which mandate code reviews here. All of the points relating to code reviews can be found in requirement 6: Develop and maintain secure systems and applications. Specifically requirement 6.3.7 mandates a code review of custom code:

6.3.7 - Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability.

This requirement could be interpreted to mean that the code review must consider other PCI requirements, namely:

6.3.5 - Removal of custom application accounts, usernames and passwords before applications become active or are released to customers

6.5 - Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerabilities in software development processes, to include the following: (OWASP Top Ten listed)